I’ve covered event logging before, but the excellent site Malware Archaelogy has some cheat sheets that include Splunk queries you can use to find incidents or malware operating in your network, or even use to create dashboards so you can keep an eye on things. Malware Archaelogy’s list of events to log is a bit different from what I covered before, but there’s a considerable amount of overlap. You probably want what they recommend and what anyone else is recommending.

The key to corporate computer security is situational awareness, and I don’t think anyone sells a blinky box that provides enough of that. But you can build it with Splunk.

And, for what it’s worth, I do recommend Splunk. I’ve used Log Logic in the past, and its searches often take days to finish, which means Log Logic is so slow that by the time you find anything in it, it’s likely to be too late. Splunk isn’t quite real-time, but you can find stuff in a few minutes.

If you’ve ever upgraded a LogLogic universal collector and had it fail to work, it’s very disconcerting to see the error message when you try to reinstall the previous version: Downgrades aren’t supported. But there is a solution if you need to downgrade a Log Logic universal collector. Read more

My 9-5 gig revolves primarily around Tibco LogLogic (I’ll write it as Log Logic going forward, as I write in English, not C++), which is a centralized logging product. The appliances collect logs from a variety of dissimilar systems and present you with a unified, web-based interface to search them. When something goes wrong, having all of the logs in one place is invaluable for figuring it out.

That value comes at a price. I don’t know exactly what these appliances cost, but generally speaking, $100,000 is a good starting point for an estimate. So what if I told you that you could store 45% more data on these expensive appliances, and increase their performance very modestly (2-5 percent) in the process? Read on.